Why industrial-automation security should be a renewed focus

As industrial organizations grapple with COVID-19 fallout, automation has become an even hotter topic. Experts fear, however, that the acceleration of automation could drive unforeseen consequences for organizations that don’t focus on security.

“When it comes to automation and industrial control systems (ICS), there is no doubt haste makes more than waste,” said Dan Miklovic, an analyst at the Analyst Syndicate. “It leads to potentially catastrophic or deadly outcomes.”

Mission-critical systems in industrial facilities have traditionally relied on the close oversight of human workers because the senses were “usually the most effective way to ensure optimum uptime,” Chris Catterton, director of solution engineering at ONE Tech. That is changing. Automated systems often exceed human capacity to spot machine problems. An automated system can detect when a torque value on a bolt is, for instance, a few pounds light, or hear a high-frequency bearing squeal undetectable to the human ear, Catterton said.

But being lax in terms of industrial automation security can be dangerous. Hobbyist electronics, for instance, may make automating industrial machinery simple, but such products can also provide cyberattackers with a familiar target, Miklovic said. “Plug-and-play automation solutions that are not built with security in the forefront can also open the door for a vast amount of vulnerabilities,” Catterton said.

Take Care With AI Deployments, Too 

There’s also a risk that organizations will hastily deploy artificial intelligence (AI) as part of their automation initiative. With data science experts in short supply and many experienced industrial operators sidelined as a result of COVID-19 quarantines, there is a heightened danger of errors creeping into AI algorithms. There’s a risk that “the person trying to train the system lacks critical safety information,” Miklovic said.

Even in ideal conditions, developing software or AI algorithms inevitably introduces some error. One rule of thumb holds that there are one to 10 mistakes per 1,000 lines of software, as the book “The Fifth Domain” has observed. Even software for mission-critical space systems could have one to five errors per 1,000 lines of code.

With software often having millions or billions of lines of code, the need to prevent and correct bugs becomes critical. History provides examples that underscore the risk of cutting corners in industrial automation security. The Ariane 5 rocket disaster of 1996 is one such example. After software developers from the European Space Agency failed to adequately update code they borrowed from a predecessor rocket, the rocket exploded. Because the speed of the craft during the launch exceeded the bounds its software specified, the rocket self-destructed. “The cost of this software error was about $300 million,” said Johannes Bauer, Ph.D., principal security advisor at UL.

Another example of costly software shortcuts is the grounding of the Boeing 737 Max in 2019. After outsourcing software development tasks to $9-an-hour engineers, the plane killed 346 people in two accidents. An automated system relying on information from a sole sensor played a role in the crashes, according to the New York Times. The cost of grounding the 737 after the two accidents is $18 billion, according to Boeing estimates.

To read the complete article, visit IoT World Today.